Using Azure AD as a identity provider for AWS

2
votes

We are trying to use Azure Active Directory as a Identity Provider for the Amazon AWS console but we are failing miserably!

We have tried both the "Amazon Web Services (AWS)" and "AWS Console" applications in Azure, but they both produce the following error when someone tries to use either application to access AWS:

"Your request did not include a SAML response"

We've followed the steps in the following article to create an identity provider in AWS: http://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active-Directory-ADFS-and-SAML-2-0

We used the following URL to upload the metadata for the identity provider in AWS: https:// login.windows.net//FederationMetadata/2007-06/FederationMetadata.xml

We are using the following URL when we configure the application in Azure AD: https:// signin.aws.amazon.com/saml

Using Fiddler we can see that nothing is being posted to the Amazon endpoint URL, the browser is just being redirected there without posting anything.

Has anyone managed to get this working, we are struggling to see what we have missed so any help/advice will be very much appreciated.

EDIT: We have also used the SAML tracer Add-On for Firefox to troubleshoot this, which shows nothing is being posted at all. There is a GET request to account.activedirectory.windowsazure.com, which is followed by another GET request to signin.aws.amazon.com

1
azureamazon-web-servicesazure-active-directory
Were you able to use the https://login.windows.net/<domain>/FederationMetadata/2007-06/FederationMetadata.xml as the metadata? (I'm trying to repro your issue, but I get "Could not parse metadata" when uploading the XML.)Philippe Signoret
Many thanks for taking a look at this, you need to save the file as UTF-8 without BOM before it's uploaded, take a look at this article forums.aws.amazon.com/thread.jspa?threadID=158960&tstart=0Jody G
FYI - Amazon were kind enough to take a look at this and they believe that Azure AD only supports passing the username and password to the login page and doesn't use SAML - forums.aws.amazon.com/thread.jspa?threadID=157023&tstart=0Jody G
Did anyone manage to successfully configure Windows Azure Active Directory with AWS? There are other SAML enabled services that are configurable with AAD. I suppose AWS should be possible as well.Charles Prakash Dasari

1 Answers

1
votes

It is possible to setup SSO with SAML federation from Azure AD to AWS console. Here are the steps in summary:

  • Create an Enterprise App in Azure AD. Search for "Amazon Web Services (AWS)", select it from the list, but make sure you give it a unique name of your own choice.
  • Go to Single Sign On blade and enable SAML federation. Add the two AWS required SAML attributes (Role and RoleSessionName) with corresponding AAD values.
  • Download SAML Certificate from the same page
  • Make sure Identifier field is not blank and finally save the changes.
  • On AWS side, you need to create an Identity Provider in IAM using the same SAML Certificate you had downloaded previously.
  • Create a Role using the Identity provider from previous step.
  • Finally you have to create mappings from AAD Groups to AWS Roles. There are two ways you could do this:

1- Using automatic provisioning. This method restricts you to have all your AWS roles in a single AWS account. Moreover, you need to create a user in AWS with read permissions on IAM and then assign programming keys to it. You then have to enter those keys inside AAD. I wouldn't recommend this approach.

2- You can go to App Registrations page in AAD and modify your application manifest JSON with your mappings. This allows you to create mappings to unlimited account/role combinations to Azure AD Groups. Moreover, you wouldn't have to create any users in AWS.

Happy federating!